OpenVPN with OCSP enabled allows connections with revoked certificates
Plus Target Version:
OpenVPN doesn't honor certificate validity status against the site listed in the OCSP URL field.
Konstantin Panchenko wrote in #note-11: This is still an issue in 2.5.2, validation code still checking only for the last line returned from "openssl", documentation for exec command states that output parameter must be used to get the full output and that would be array. Last line analysed in current code would look only "Next Update: May 11 11:29:54 2021 GMT", see above. https://www.php.net/manual/en/function.exec.php I see the issue was closed by adding "-resp_text" option, however without analysing the whole outpup of the EXEC / Openssl function this won't work. I've attached my edit for review.
Updated by Jim Pingle about 1 year ago
- Target version deleted (
Updated by Chris Linstruth 3 months ago
OCSP is not checked at all if certificate depth checking is disabled.
openvpn.inc does not place tls-verify into the server configuration at all in that case.
Was that the case here?
Updated by Jim Pingle about 2 months ago
- Target version set to 2.7.0
- Plus Target Version set to 23.05